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"ffS/ZGI/ZNI^ Implementation of the Foreign Intelligence Surveillance Court 
Authorized Business Records FISA - NS A Review 
25 June 2009 

I, (U) Executive Summary 

(TS//SI//NF) T he Business Records FISA Compliance Review Team of the National 
Security Agency (NS A), in response to instructions from the Director of NSA (DIRNSA) 
and as set out in DlRNSA’s Declaration of 13 February 2009 to the Foreign Intelligence 
Surveillance Court (FISC), conducted a comprehensive systems engineering and process 
review of the instrumentation and implementation of the Business Records (BR) FISA 
authorization. This review was focused along the two major components where 
compliance issues had been reported - system-level technical engineering and execution 
within the analytic workforce. 

■{T3//8I//NF) The review entailed 8 major system or process components of the BR FISA 
metadata workflow', 248 sub-components, and 93 requirements and resulted in 9 new 
areas of concern based on past practices as described herein. NSA has taken steps, 
described herein, to remedy the problems identified, and to ensure to the extent possible 
they will not recur. NSA lias also developed plans for both the current and future 
architecture to provide more rigorous and efficient protection, control and monitoring of 
the BR FISA metadata. Implementation of the envisioned changes in architectural design 
and oversight procedures briefly described in this report will help mitigate vulnerabilities 
and correct the problems identified through the course of the end-to-end review. 

- (C//REL TO USA, FVBY) T he end-to-end review revealed that there was no single cause 
of the problems that occurred and, in fact, there were a number of successful oversight, 
management and technology processes in place that operated as designed. The problems 
NSA experienced stemmed from a basic Sack of shared understanding among the key 
mission, technology, legal and oversight stakeholders of the full scope of the program to 
include its implementation and end-to-end design. The complexity of the overall 
configuration, due in part to the intricacy of the system and the differing rules associated 
with 'NSA’s various authorizations, was also a contributing factor as was the fact that 
NSA oversight was primarily focused on analyst access to and use of the metadata. 

• fTS//SI,//NP) This report, which assumes a basic knowledge of NSA’s structure and some 
familiarity with the FISC documents and DIRNSA declarations associated with the BR 
FISA program, addresses previously identified and newly uncovered areas of concern, as 
well as the corrective actions already taken, and those on-going or planned, to address 
these issues. It details the scope of the end-to-end review, the methodology employed 
and the results, it also describes the minimization and oversight procedures NSA 
proposes to employ should the FISC decide to approve NSA’s resumption of previously 
authorized access to the BR FISA metadata, to include automated alerting and querying 
of the metadata, as well as the authority to establish whether a telephony selector meets 
the Reasonable Articulable Suspicion (“RAS”) standard for analysis (i.e., regular 
authorized access). Additionally, the report outlines the checks, balances and safeguards 
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engineered into the system; points to the need to clarify existing language in some cases; 
and describes enhanced training for the workforce that is designed to prevent future 
instances of non-compliance. Finally, the report includes a summary of a proposed 
technical architecture which will further protect BR FISA metadata. 

(TS//SIANF) In conducting the end-to-end review, NSA established a diverse team of 
technical, legal and mission experts to examine jointly the key functional areas of system 
engineering, mission operations and oversight. The NSA team created an architectural 
diagram of the end-to-end data and workflow' and exami ned each major system 
component and sub-component to ensure a complete understanding of how the data was 
handled. In addition, NSA compiled all BR FISA-rcIated requirements and evaluated 
each system and process component against those requirements to identify areas of 
concern or vulnerability. 

-fU//rOUO) In moving forward, NSA will not only address the specific technical, and 
process issues identified in this report, but will also implement changes in its program 
management construct to increase transparency and awareness among accountable parties 
and establish an enduring view of the full scope of the program. 

-{U/.TOU07 NSA may produce additional supplements to this report to the extent 
necessary to respond to additional items that may be of interest to the court. 



II. fthVFOfetQj Results of Detailed Analysis on Identified Areas of Concern 
A.]ti?7FObO) Previously Reported Compliance Issues 

l.ftV/FOUQ} Telephony Activity Detection (Alerting) Process 
(tJ) Description 



ff3//Si//NF) As previously described to the Court, 1 NSA implemented an activity 
detection (alerting) process* in a manner that was not authorized by the Court’s Order, 
and then inaccurately described that process in its initial and each subsequent report to 
the Court. NSA stated that only RAS-approved selectors were included on the Activity 
Detection List when, in fact, the list included those RAS-approved and non-RAS- 
approved selectors'* which were also tasked for content collection by counterterrorism 



analysts tracking 



and associated terrorist organizations or, subsequent to 



! (tMTOUO - ) See DIRNSA Declaration dated 13 February 2009, at Sections III .A. and 1II.B. 

3 (U//FQUO) NSA now refers to the Alert Process and the Alert List as the Activity Detection Process and 
the Activity Detection List to more accurately describe their functions. 

; 'ff smmmin mid- January 2009, there were 1,935 RAS-approved and 15,900 non-R AS -approved 
selectors on the Activity Detection List. At that time, the Station Table (the reference database of all RAS 
evaluations) had approximately 27,000 selectors identified as RAS-approved and 63,000 selectors 
identified as non-RAS -approved. 
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the modifications of the BR FISA Court Order on 8 August 2006 and again on 14 June 
2007, 



-(TS//S I//N F)-The Activity Detection List that was used prior to 24 January 2009 to alert 
analysts to a selector of potential interest was a list independent of the Station Table, the 
historic reference database of all RAS evaluations. The Activity Detection List was 
compared against the incoming BR FISA data to assist analysts in prioritizing their work 
Some of the selectors on the Activity Detection List had been RAS evaluated, and their 
status would have been reflected on the Station Table. Others had never been evaluated 
for RAS and would not have appeared in the Station Table. In this latter case, they were 
treated as non-R AS -approved on the alert list which meant that contact chaining did not 
take place in the complete body of archived data until and unless the particular selector 
had satisfied the RAS standard. 



■4TS/T]I//Nr7 NSA’s description of this process to the Court reflected a similar process 
already in place for the program, but NSA’s 

implementation of the two processes was actually different Further, as described to the 
Court, the NSA personnel who designed the BR FISA Activity Detection List process 
believed that the requirement to satisfy the R AS standard was only triggered when access 
was sought to NSA’s stored (i.e., “archived” in NSA parlance) repository of BR FISA 
metadata. The inaccurate characterization was identified in the course of a meeting 
between NSA and representatives from the National Security Division (NSD) of the 
Department of Justice (DoJ) on 9 January 2009, During discussions, DoJ identified what 
was ultimately determined to be an incident of non-compliance with, the Order. After 
additional inquiry, NS D/Do J officially reported the incident to the FISC on 1 5 January 



2009. 



■fTS/73 I//N FHBetween 20 and 24 January 2009, the R AS-approved portion of the Station 
Table was mistakenly implemented as the Activity Detection List in an attempt to address 
the original problems identified with the alerting process. At that time there were 
approximately 27,000 selectors on this list, approximately 600 of which were designated 
as RAS- approved without having undergone NSA Office of General Counsel (OGC) 
review as described in Section I LA. 4. 



(TS//SI//NF) N SA completely shut down the Activity Detection Process against the BR 
FISA metadata on 24 January 2009 as a corrective measure. 



2. (IftTFWQJuXhe 




Mechanism 



>j (TS//SLVNO A s of 8 A ugust 2006, queries of the BR metada ta for telephone identifiers reasonably 
believed to be associated permitted by the Court, As of 14 June 

2007, the authorization expanded again to include queries of the BR m etadata for telephone identifiers 
reasonably beli eved to be associated associated terrorist organizations to 

include HHHBHHMHHI 
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As previously reported to the Court, from May 2006 to 1 d t 
NSA intelligence analysts who were working counterterrorism targets had 
known as MMH which was used to assist them in determining wheth 
telephone IdentirienTf interest was present in NSA's metadata repositories 
what the level of calling activity was for that selector. Between these date; 
in turn, accessed the data present in the BR FISA metadata repository to a; 
responding to these questions^^^^^ is not a tool used for contact ch 
. Rather, for each query of a specific telephony selector, th 
tool returns the number of unique contacts, the number of calls made, the < 
and last call events recorded in NSA's data repositories and the amount of 
process the query. It does not return the actual telephone identifiers in con 
selector that serves as the basis for the analyst’s query. Thougi 
as a stand-alone tool, it is more eommonlv invoked bv other tools such asl 



es oi me 
ne it took 
t with the 
an be use 



(T S// S 17 /N P ■ ) - On 19 February 2009, MSA confirmed that performed queries 

against: the BR FISA metadata repository using non-RAS-approved selectors. It was also 
confirmed that analysts who were riot BR FISA-authorized inadvertently accessed BR 
FISA metadata without, realizing it as a result of accessing The results 
returned from this tool did not identify to the user whether their results came from BR 
FISA or from metadata collected pursuant to NSA’s authority to collect signals 
intelligence information under Executive Order (EO) 12333, hut rather combined them 
into a consolidated summary. 



list! Steps: 



■fTS//SI//NF) On 20 February 2009, NSA removed the specific system-level certificate 
(cryptologic authentication for software akin to a ticket used to confirm the bearer is 
entitled to enter) that had allowed the BR FISA-enabled 



|to access the BR FISA metadata chain 
repository. 0 Out of an abundance of caution, NSA also made sof tware changes on 6 
March 2009 which removed analysts’ ability to manually invoke 



against BR FISA metadata. While! 



could still automatically be 



? (U//FOUO) See D1RNSA Supplemental Declaration dated 25 February 2009 at Section II. A. & R. 

ATS.',Ni,VNr) The removal of the system-level cer tificate cut_offalI access to the RR FISA metadata chain 

repository by any automated process or subrouti ne. 
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invoked via the Automated Chaining Analysis Tool (ACAT), 7 as stated, the revocation of 
the system level certificate preventec|^^^0 from accessing the BR FISA metadata 
chain repository. 

3.'^D77F©IJ<^t.Iiiiproper Analyst Queries 



fil) Description 

(TS//SI//NF) Among the compliance issues previously reported to the Court was NSA’s 
discovery that between 1 November 2008 and 23 January 2009, three analysts 
inadvertently performed chaining within BR FISA metadata repository 

using 14 different telephone identifiers that did not meet RAS approval prior to the query. 
The analysts did not realize they were querying the BR FISA metadata and none of the 
identifiers was associated with a U.S. telephone number or person. Based on an audit of 
other queries the analysts were conducting at the same time, it appears each analyst 
thought he or she was conducting queries of other repositories of telephony metadata that 
are not subject to the requirements of the Business Records Order. 



(U) Remedial Steps 

1T3//SI//NP) NSA implemented the Emphatic Access Restriction (EAR) to ensure that 
contact chain! in the BR FISA repository is restricted 

to only those seeds that have been RAS-approved^^^^^^^J support personnel have 
conducted tests to ensure the EAR is functioning properly by monitoring manual query 
input and output, evaluating individual and connected functions, as well as examining log 
files to ensure the results of manual queries, now with the EAR in place, produce the 
desired results. Earlier NSA had also introduced a safeguard requiring the analysts to 
acknowledge that they were about to access the BR FISA metadata 
further reduce the potential for additional instances of non-compliance. More formal and 
rigorous training also emphasizes the need for caution when invoking their BR FISA 
authority. NSA is in the process of finalizing the testing of a software modification which 
will restrict the analysts to chaining no more than three hops from a RAS-approved 
selector within BR FISA metadata repository. 

(TS//SI//NF) internal audits of tire activities of NSA personnel authorized to query the 
data under the 5 March 2009 order since 17 March 2009, when the Court approved the 
first batch of BR FISA metadata selectors as meeting the RAS standard, have shown no 
further compliance issues. 

4. - fTS//Si//NE) U.S. Identifiers Designated as RAS- Approved without OGC 

Review 



(U//FOUO) T he relationship between the t ACAT 

can be found in the Appendix. Glossary of Tersns. 

* (l/WFOUO) See DIRNSA Supplemental Declaration dated 25 February 2009 at Section HR. 



TOP SECITr;TV/COM[NT//OilCON/N()rQ[m 



6 







top s I ; r i r r//<. . ( ) M i r- J i // o c :' c; n / iv o f ■ o ra 



4TC/i'SI//MFr Between 24 May 2006 and 2 February 2009, NSA designated 
approximately 3,000 U.S. selectors as RAS-approved on the Station Table without 
undergoing the required OGC approval. This set. of numbers was derived from two time 
periods: 1 January 2005 to 23 May 2006 and 24 May 2006 to mid- December 2008. 



Approximately 600 U.S. selectors that had been tipped to FBI and CIA 
between 1 January 2005 and 23 May 2006 as having ties to known, or probable, terrorist 
entities were added to the Station Table after the BR FISA Order was issued in an effort; 
to “jump start’" the BR FISA operations. These 600 U.S. selectors did not undergo OGC 
review. 



TrS/,'Gl//NF) Between 24 May 2006 and 6 May 2009, NSA issued 21T BR FISA-based 
reports, all of which were based on contact chaining of RAS-approved selectors. Included 
in these reports were tips to customers (FBI, CIA, NCTC, and/or ODN.1) of U.S. 
telephone numbers which had been in contact with a RAS-approved se lector associated 
with 

three hops of a RAS-approved selector. For those reports issued between 24 May 2006 
and mid-December 2008, NSA took the additional step of designating as RAS-approved 
in the Station Table the subset of these domestic selectors that were lipped as having ties 
to known, or probable, terrorist entities. However, these selectors did not undergo the 
required OGC review. For this entire period (24 May 2006 to 15 December 2008), the 
total number of U .S. selectors added to the station table as RAS-approved, but without 
the OGC review', was approximately 2,400. 10 



(TS//S1.//NF) At the time the RAS-approved portion of the Station Table was mistakenly 
implemented as the Activity Detection List in mid-January 2009, as described in Section 



9 s _ 

tTS//SI//N.r) The number of reports included in the DIRNSA Declaration of S3 February 2009 was 275, 
This was based upon information gathered on 6 February, Further review has taken into account the fact 
that an additional report was issued alter 6 February, but before 13 February', Some of these reports had 
been cancelled for various reasons and some of the cancelled reports were reissued with corrections. 
Therefore, the correct number of unique reports as of the 13 February 2009 declaration should have been 
274, Since then, additional reports have been issued for a current total of 277 (as of 6 May 2009), The 
Declaration also stated that there were 2,549 selectors tipped in these reports. The actual number of 
selectors tipped in the 274 reports is 2,88 3. 

]i ' (TS//SI//NF) Approximately 1000 of these selectors from the post-23 May 2006 ora were reported to 
customers as having only an indirect connection to known or probable terrorist selectors. It was not NSA 
policy to include ibis category of number? in the Station Table as ^RAS-approved/' However, an error was 
made during a bulk upload to the Station Table of tipped numbers on 9 December 2008 and these numbers 
were inadvertently included. They were present on the Station Table as RAS-approved until the entire set 
of 2,400 U,S. selectors were chanced to 2ap t RAS-approved"' on 35 December 2008 (six days later). An 
audit of the Alert system, die and the Transaction Database showed that no chaining m 

the BR FISA metadata was performed on these numbers during this period. 
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IK A ,1 M approximately 600 of the U.S. selectors from the Table had not undergone the 
required OGC review. Forty-six of these approximat ely 600 selectors generated alerts as 
a result of the actions described in Section II.A.1; however, none of the resulting analysis 
based on these alerts yielded information that was subsequently tipped to customers. 

- f TS//S 1//N F ) • Designatin g these U.S. identifiers as RAS-approved without the required 
OGC review grew out of a related practice that NS A applied briefly to its development of 
the Telephony Activity Detection List in 2006. Specifically, in its first periodic report to 
the Court as directed in the initial May 2006 Order, NS A stated that U.S. identifiers that 
had been reported to FBI and CIA prior to 24 May 2006 because of their direct contact 
with international terrorism selectors had also been added to the alert list, even though 
they had not been qualified as seed identifiers and had not been reviewed by OGC. While 
the initial report explained to the Court the NSA rationale for the belief that these 
identifiers did not need to go through the full approval process to be included on the alert 
list, the November 2006 90-day report also stated that the practice had ceased as of 18 
August 2006. Although the use of this process to add identifiers to the Alert List did 
cease on that date, NSA failed to discontinue the process of adding selectors to the 
Station Table. 

(U) Remedial Steps 

(TS/7SI//NF) In early February 2009, all selectors that the OGC had not reviewed were 
changed to non~RAS -approv ed on the Station Table. 

B. (U) Newly Identified Areas of Concern 



I Not Audited Prior to January 



-fTOZ/O I//N F)- January 2009 discussions between O versight and Compliance (O&C) and 
the BR FISA-authorized analysts revealed that the) 

NSA’s repository for individual BR FISA metadata one-hop chains, had not been audited, 
prompting further investigation as part of the end-to-end review. Prior to that time, NSA 
O&C was not aware of its existence in the technical architecture and therefore did not 
audit the database. 



(TS//SI//NF ) Between May 2006 and January 2009 

I logging capability recorded all queries via the analyst graphical user interface 

n (TS//SI//NF) These were the approximately 600 from the pre-FIS A era; the others had been changed to 
“not RAS-approved’’ in mid-December 2008, The failure to remove these approximately 600 numbers was 
an oversight. The 600 selectors were changed to “non-RAS-approved” on the Station Table in early 
Februarv2009. 
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to the data within the to include the user’s login, Internet Protocol (IP) address, 
date and time, and ret rieval request -- all fields required by the Order, Analysts use the 
to verify the specific call event details between two individuals — 
details such as which selector initiated each call, when the call was initiated and how long 
the call lasted. However, sometimes to verify the call details of a communication event 
the analyst uses the selector that was the first or second hop result as the retrieval request. 
Because of this, the selector that wa s the RAS-approved seed is not always evident in the 

n January 2009, NSA took steps to augment the 
information recorded in system log to include the 

RAS-approved seed that the user was asserting to be within two hops of the selector 
being queried. O&C began auditing queries to the database in February 2009. Since this 
enhanced auditing capability was added, O&C has audited the BR FISA-authorized 
intelli gence analysts’ queries and found no evidence of improper queries. Although the 

suffered a system crash in September 2008, NSA 
was ultimately able to recover sufficient data to permit O&C to conduct sample audits of 
queries since the Order’s inception. These sample audits revealed no unauthorized 
analysts conducted queries against the BR FISA metadata and no authorized analysts 
conducted improper queries of the metadata. 



architecture, it is currently not protected by the EAR. NSA will migrate 
functionality into the corporate architecture to provide greater accountability and to help 
ensure compliance with the Court Order and any future requirements. Reconstituting this 
database within the corporate architecture will ensure that it is established and supported 
on systems that use corporate authentication/authorization services, use system security 
and configuration management practices, are certified and accredited with approval to 
operate on an active System Security Plan (SSP), 13 and above all employ software 
measures that minimize compliance risks, 

2, (TS//SI//NF) D ata Integrity Analysts’ Use of BR FISA Metadata 



(TS//S i//N F) As part of their Court-authorized function of ensuring BR metadata is 
properly formatted for analysis, data integrity analysts seek to identify rrumbershuhe^R 
metadata that are I 



ysts had identified such 



Once the data 
e BR FI'S A data, t 



'-(U'iTOUO) An SSP is a formal document describing the implemented protection, measures for the secure 
operation of a computer system. 
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tTS//GI/V'MP) NSA analysts authorized to query the BR. FISA m etadata routinely used 

to query the BR FISA 

metadata without a separate RAS determination on each correlated selector. In other 
words, if there was a successful RAS determination made on any one of the selectors in 
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n, all were considered R AS-approved fo r purpos es of the query because 
associated with the sam 
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met the RAS stai 
notice was filed ' 



gh NSA obtained 
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e FISC never add 
d when any one o 
i the FISC on this 



stations non: 
tool that the 
he correlatic 
s used to eo: 
usust 2008 : 



ds correlations between selectors or mt 
s the primary means by which correlate 
tadata. On 6 February 2009, prior to ths 
3R FISA metadata was disabled, proves 
relation results to BR FISA-authorized 
.R on 20 February ended the practice of 
moved in manual queries conducted wit 
ector to be individually RAS-approved 
a, NSA ceased the practice ~ 
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analysts currently have the authority to access the BR FISA metadata. Thus, the 
collective experience of the BR FISA-authorized analysts represents a small fraction of 
NSA’s overall expertise on counterterrorism targets. CT target analysts beyond the small 
number currently authorized to query the BR FISA metadata are responsible for 
analyzing the data in the context of S1GINT information and writing reports; this practice 
continued under the structure imposed by the March Court Orders. NS A believed such 
internal sharing of the results of its analysis (as distinct from the bulk metadata itself) was 
consistent with the Court’s Orders, b ut had, not included a description of it to the Court in 
its periodic reports prior to May 



~ fFS/Vf>I//NF) In addition, the Court Orders prior to 2 March 2009 state that "any- 
processing by technical personnel of the BR metadata acquired pursuant to this Order 
shall be conducted through the NSA’s private network, which shall be accessible only via 
select machines and only to cleared technical personnel, using secured encrypted 
communications." The end-to-end review revealed, that the way in which NSA protects 
the data is not precisely as stated in the Court Order; however we believe NSA’s 
implementation is consistent with the intent of preventing unauthorized users from 
accessing the data. For example, there are not specifically designated or "select" 
machines from which technical personnel access and process the data on NSA’s private, 
secure network. The internal NSA communications paths on its classified networks are 
not encrypted, hut are subject to strong physical and security access controls ~ which 
provide the necessary protections. 



(TS//SI//NP) The end-to-end review also revealed that data integrity analysts, in order to 
conduct their authorized duties, pull samples of raw' BR metadata into their private 
directories on the NSA network, which they access via username and password, to 
analyze the metadata in order to develop new parsing rules or prepare samples for spot 
checks. The private directories offered them a worksp ace to analyze the metadata using 
tools and applications that they could not invoke in 

While these private directories could be interpreted to be an additional data 



repository to the twd 



already 



described to the Court, the BR FISA data, is not accumulated as in a true database 
repository. The data integrity analysts are authorized to access the data, and any 
importation to their own systems was deleted when no longer needed. 



TIT i'i’n.q Additionally, the review uncovered that data integrity analysts, in 
conducting their authorized duties, copied data into two shared directories created for 



f NSA complex is a Sensitive Compartmented Information Facility (SCIF) that is an 
accredited installation, incorporating strong physical and security access control measures (barriers, locks, 
alarm systems, armed guards), to which only authorized personnel are granted access. Within NSA, only 
approved users of NS ANET can. gain access to the network through login and password. Once on the 
network, the user can only access the BR FISA metadata if additional access controls specifically allow 
such access. Access to particular data sets is granted based on necd-to-know and is verified via Public Key 
Infrastructure (PKI). 
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restricted information with a controlled user set, These shared directories also offered 
access to similar tools and applications as mentioned above. NS A learned that roughly 
1 70 personnel who at one time had been cleared for sensitive metadata programs had 
access to tiles on this server. Approximately ! 5 % of these personnel were system 
administrators or data integrity analysts: the remainder included intelligence analysts, 
managers and engineers. While it was possible for the tiles to he accessed by any of these 
personnel, it is unlikely that anyone other than data integrity analysts would have done so 
since it would have been outside the scope of their duties. 

(U) Remedial Steps 

'^Tii/.'yijri'il'j.A notice was tiled with the FISC on the matter of sharing results of queries 
within NSA as it relates to the BR FISA Order on 12 June 2009, While NSA believes the 



8 June 2009 NSA began 



ability of BR F ISA-authorized analysts to sh are unminimized query results with the 
broader population of NSA analysis working m^|| 
is critical to the success of its counterterrorism efforts, effective 
the process of limit in ( 
authorized analysts. 

Court explicitly authorized the continuation of internal sharing of the results of 
authorized queries with NSA analysts other than the limited number authorized to access 
the bulk metadata, provided ail analysts receiving such results receive appropriate an d 
adequate training. The government anticipates seeking|~ 
the BR FISA context. 




Im 



'TTS/7S 1//N£f-Regardi ng the handling of metadata by technical personnel, NSA 
implemented additional access controls using UNIX group access control which assured 
that only the data integrity analysts were in the “group” which could access this data, and 
is providing appropriate protected storage areas for the data integrity analysts’ work files. 
With regard to the manner in which NSA secures the BR FISA metadata, NSA wall work 
with DoJ to more accurately reflect in any future application to the Court the current 
method of providing protection. Instead of accessing the data via select machines using 
secured encrypted communications, NSA provides protection through the use of the 
secure network; use of NSA’s identity and authorization access control service; and other 
NSA corporate standard data protection services. 

5, (TSm^IXSystem Developer Access to BR FISA Metadata while Testing 

New Tools 

(U) Description 

- (TS//SI//NF) In its review of all tools and interfaces that allowedaccesstoBR FI S A 
metadatajNSA determined that developers assigned to work flHHUflHI 
MMNM a next generatim^^ user interface (GUI) which is 

the replacement for had queried BR FISA metadata 

chaining summaries 20 times during the course of their testing between 26 September 
2008 and 1 1 February 2009, This access occurred due to the dual responsibilities of the 
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The Court is now 

aware of this issue, and the Court’s 29 May Order specifically excludes from its scope the 
aforementioned foreign- to- foreign metadata. The provider ceased providing this metadata 
on the same day as the Order was signed. NSA is coordinating with the provider and the 
NSD/DoJ to resol ve this matter. 



Unintentional Omission of OCX’ Review of U.S. Identifiers 
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£11} Description 

(TS/ /S i//N l~ ) It was recently discovered that during the June through October 2006 
timeframe, in the process of implementing the initial BR FISA Orders, a few domestic 
numbers were designated as RAS approved and chained without OGC approval due to 
compound analyst errors. These errors occurred when analysts inadvertently selected the 
incorrect option in a GUI. The correct option would have designated the domestic 
identifier as needing OGC approval. The incorrect option put the domestic selector into a 
large list of foreign selectors which did not need OGC approval as part of the RAS 
approval process. In those cases where the Homeland Mission Coordinator (HMC) failed 
to notice the domestic number in the large list of foreign selectors and the RAS 
justification was approved, the number was chained. NSA continues to investigate this 
matter, but, based on available records, NSA’s initial estimate is this occurred fewer than 
ten times. NSA will provide additional information as appropriate. A notice was filed 
with the FISC on this issue on 29 June 2009. 



(U) Remedial Steps 

(TS//SI//NF) Each time an error was identified through quality control, senior HMCs 
provided additional guidance and training, as appropriate. Continued training and 
management oversight, in particular when new analysts arrived, helped ensure such 
errors were not repeated. 

8. (TS//SI//NF) External Access to Unminimized BR FISA Metadata Query 

Results 

fU) Description 

(TS//SI//NP) - In examining NSA’s practice of sharing BR FISA meta data query results 
internally with other NSA analysts working authorized 

NSA teamed of CIA, FBI, and NCTC analyst access to 
unminimized BR FISA metadata-derived query results and target knowledge information 
via an NSA counterterrorism database. This matter, just recently identified, was a 
collaboration practice that was in place prior to the inception of the BR FISA Court 
Order. Over time, approximately 200 analysts at CIA, FBI, and NCTC had been granted 
access to this target knowledge base. When the BR program was brought under the 
jurisdiction of the FISA Court, this practice was not modified to conform with the 
Order’s requirements for the dissemination of BR FISA metadata-derived query results 
outside of NSA. A notice was filed with the FISC on this matter on 16 June 2009. 



(U) Remedial Steps 

(TS//SI//NF) While NSA disabled the hyperlink button used by the external analysts to 
access this target knowledge database in the Summer 2008 timeframe, NSA learned that 
the external analysts could have still accessed the data if they retained the URL address. 
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Upon identifying this as an area of concern on 1 ! June 2009, NSA began terminating 
external customer account access to the target knowledge database, completing the actior 
by 1 2 June 2009. NSA is continuing to investigate this matter; audits are now underway 
to determine the extent to which the query results may have been accessed. Once 
completed, NSA will provide a full explanation of this practice. 

9. Dissemination of BR FISA Information 



fij) Description 



hen an NSA analyst determines that information identifying a U.S. persoi 
is critical to include in a metadata report, he or she is required to obtain dissemination 
authorization from the designated NSA approving office in accordance with the Court’s 
Order. Specifically, the order requires that prior to disseminating any U.S. person 
information outside of the NSA, the Chief of Information Sharing Services must 
determine that the information is related to counterterrorism information and is necessary 
to understand the information or to assess its importance. In fact, the Chief of 
Information Sharing Services, when unavailable, has in the past delegated this authority, 
typically to the Deputy Chief. Additionally, after hours or in an emergency situation, this 
authority has also been delegated to NSA’s Senior Operations Officer (SOO) in its 
National Security Operations Center (NSOC). 



practice of sharing BR FISA metadata analytic results also applied to 

which was established t o 

>f sensitiv e metadata among NSA’sl 



the 






Tor sixi;i;[:-vccMiN7v/0Rce^j/N0F0RN 



fTS//SL f /Nn) NSA is currently conducting a review of any BR FISA metadata-derived 
reports that contained U.S. person identifying information to determine consistency with 
the Court’s Order, Once this is completed, the results will be provided. 




lit WMMM. NSA’s End-to-end BR FISA Review 
A. (U) Scope 

~ff S//G 1//N F ) -N S A established a team of experts to conduct a thorough end-to-end 
systems engineering and process review of the BR FISA metadata workflow. The team 
reviewed 93 requirements extracted from the March 2009 BR FISA Court Order, 
Application and Declaration; dataflow diagrams; and system documentation (to include 
systems engineering and security plans) to ensure a complete understanding of how the 
requirements were being met prior to 2 March 2009, how well they are currently being 
met, and what changes may be needed to ensure compliance. The team then used these 
requirements as a basis to examine six key aspects (systems architecture, analyst 
workflow, management control, compliance auditing, oversight, and training) of NSA’s 
handling of BR FISA metadata, and to establish a comprehensive plan to ensure that all 
requirements are addressed and properly implemented, 

(TS//S1//NF) Another critical step in preparing to conduct the end-to-end review was to 
identify and map how all the system components fit together. Lack of such end-to-end 
awareness contributed to the problems initially reported to the FISC. 11 ' lire 
systems/processes reviewed were: 



1 . 

9 

3. 

4. 

repository for individual BR FISA metadata one-hop chains 

5. the Telephony Activity Detection (Alerting) Process 

6. the Reasonable Articulable Suspicion (RAS) Approval Process 

7. the BR FISA Analytic Tools and Processes 

8. the BR FISA Analyst Decision and Reporting Process. 




NSA’s corporate file transfer/distribution system 
|, NSA’s corporate contact chaining system 



NSA’s 



l! '~ tU//r()UO) See Declaration of the Director of the National Security Agency (DIRNSA) dated 13 
February 2009. 
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databases are accessible to BK FlSA-authorized intelligence analysts, These analysts also 
use the following processes: the Activity Detection (. Alerting j Process , the RAS Approval 
Process , the BR USA Analytic Tools/Processes , and the BR FISA Analyst 



Decision/Reporting Process to identify, query, analyze and ultimately disseminate 
information derived from the metadata. 'These eight components, part of a large and 
complex system, are further described in Section III.C. and pictured in Figures 1-10. 
Figure 1 provides a top-level view of the overall architectural system, Figure 2 highlights 
the eight components, while Figures 3-1.0 highlight each of the individual components in 
greater detail. Each component is reflected with corresponding colors in the diagrams. 

*fTS//SI//MjQ In concert, with this systems engineering end-to-end review, NSA conducted 
a thorough review of its analytic processes, management controls, auditing mechanisms, 
oversight and training for the BR FISA metadata handling. This included a thorough 
examination of each activity, tool and analytic process to assure that it operated in 
compliance with the Court Order. The review led to several additional audits to ensure 
that no compliance incidents had occurred and to examine whether or not the individuals 
who worked with the BR FISA metadata fully understood the applicable authority and 
limitations. Documentation and training were also updated. Each part of the review 
compared the component or process being reviewed with the relevant requirement from 
the list extracted from the Court documents. 

’fTSj'/SrV'N.E) MSA’s systems engineering and workflow reviews surveyed the processes 
and tools as they existed before any remedies were implemented. This retrospective 
evaluation enabled NSA to develop the near-term corrective measures necessary for 
current Court-approved operations and. potential resumption of regular access to the BR 
FISA metadata should it. be authorized by the Court. It also informed plans for 
incorporating the 13 R FISA flow into the NSA future architecture more effectively. 



15, (U) Methodology: 

rtff ^ SI h'N E) NSA employed a repeatable and well-documented process In conducting its 
end-to-end review'. NSA derived technical requirements from the legal, requirements 
governing BR FISA metadata handling. As noted, NSA simultaneously began to develop 
an end-to-end systems engineering diagram of the systems and databases that support BR 
processing arid storage. NSA also developed and conducted Initial Privacy Assessments 
(IP As) which include a standard set of questions used to determine, among other things, 
whether the system or process under review' interacts with data that could contain 
information about U.S. persons. The outcome of the IPA determines whether a more in- 



TOP S EC : R ET V/ff O MT 1 N IV-'O R CO N / n ^ Q I ■ O R 



19 



H ] "£ 1 / A D f ’ V A h = :'K's"\ il.-V’v 



depth Privacy Impact Assessment (PIA) is required to fully explore the extent of 
interaction and whether any privacy compliance concerns exist. An IP A was conducted 
for any system or process identified as potentially part of the BR FISA metadata end-to- 
end data flow. For those systems confirmed to he in contact with BR FISA metadata via 
the IP A, a PIA 'was performed. The results of the IP As and Pi As were then compared 
against the Court-derived requirements to determine the level to which each requirement 
was satisfied. For any system or process for which there was concern, NSA is developing 
well -documented, fully-tested corrective solutions should the Court decide to allow NSA 
to resume its regular access. 




: MS A metadata from 
according to data sourci 
be used for the different 
m this data set. 

1 in Section ILB.6, NSA 
of the BR FISA metada 




| NSA’s corporate file forwarding service, provides for 
distribution of the BR FISA metadata from the collection source to the analytic 
repositories. It accepts files from sources and transports those files to the end destinations 
identified in the filename given to the file by the source system. 



! ^ C//REL, TO USA, FV.EY) The IPA/PIA framework provided a way for the Agency to assess compliance 
risk. This framework was not used to supersede any Court-derived requirements. Both the- IPA and PIA 
templates were based on Department of Defense (DoD), DoJ or Homeland Security Privacy Assessment 
frameworks and then adjusted for the SIGINT environment, 'While IPAs and PI As are not required for the 
Intelligence Community, they provided a sound methodology for the systems engineering end-to-end 



20 






aeeu rat e connects 
q lienee 
authorized to do. ' 
received from one 
only query the dal 
test and evaluate t 
create an EAR-by 
ability of the data 
it could result in i 



{TSrSiiiMI^Whil 
Chaining Databas 
to prevent a BR F 
hops from a RAS- 
to provide this cos 
management over 
Court Order. 



at tec 
ie Co 
a soft 
traini 
i acco 



(TS//S1/NF) The £ 
a defeat list indue 
effectively. The ir 



is useo oy auinonzeo 



analysts to view detailed data about specific calling events. As the 
Chaining Database only contains summaries of one-hop chain s (i.e. . selector 
contact with selector 2 - N times within a specific timeframe), 
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database used to store correlations between selectors 



(TS//S I//N FA The Telephony Activity Detection Process is not currently operational as 
the result of the compliance issue previously reported to the FISC 22 and as described in. 
Section II. A. 1 of this report. NSA shut down the Activity Detection Process entirely on 
24 January 2009 as a corrective measure. (Of note, under the prior implementation 
before contact chaining could take place in the complete body of archived metadata and 
before any results of such analysis were disseminated, the alerting selector had to satisfy 
the RAS standard and be approved explicitly as having done so.) This process was 
thoroughly examined in the course of the end-to-end review and consequently a revised 
implementation, as described in Section V.A., has been proposed should the Court 
approve resumption of regular access. 

6. RAS Approval Process 

The RAS Approval Process is the mechanism by which an analyst must be 
able to articulate some fact or set offsets that causes him or her to suspect in light of the 
totality of the circumstances that a particular number is associated with 

before he or she may use a telephone number or 
electronic identifier as a seed to query the BR FISA metadata. 



(TS///SI/7NF) The RAS Approval Process in place until 2 March 2009 (the date of the 
FISC Order) incorporated a combination of documented guidance and well -understood 
procedures as outlined in the OGC RAS Memo and the analytic office’s RAS Working 
Aid. During the three years that DoJ lias reviewed NSA RAS approvals, no spot check 
has revealed a faulty RAS approval decision. 



7.lTSffSitfNI9. BR FISA Analytic Tools and Processes 

(TS//S1//NF) The BR FISA Tools wer e designed to analyze the raw BR FISA metadata as 
well as the output of analytics such contact chaining. Analysts used these 

tools against the BR FISA metadata and chaining results to identify possible terrorist 
communications into, from and within the US. 

fTS//SI. | VN F) Two instances of concern related to the analytic tools and processes used by 
the BR FISA-authorized intelligence analysts were identified through the end-to-end 
review and are described in Sections II.A.2. and U.B.3. These tools and processes, which 
were designed to function against both the BR FISA metadata and other categories of 
telephony metadata that NSA acquires through S1GINT operations authorized under the 
general provisions of EO 1 2333, were used primarily by analysts within NSA’s Office of 
Counterterrorism to identify possible terrorist connections into, from, and within the U.S.. 
as well as foreign-to-foreign communications. Twelve of the 19 analytic tools examined 

"TDTTfAjONSee DJRNSA Declaration dated 1 3 February 2009 



24 









were developed under systems architecture and are well -documented, 

configurat i on-eo ntrol le^m^udite^Th e other seven BR FISA analytic tools examined 
were developed in whole or in part by engineers working in the Counterterrorism 
Organization to meet constantly changing mission requirements, resulting in limited 
configuration and change management control. All seven of these tools were either 
monitored through existing O&C audits or were subjected to new audits and/or reviews 
he end-to-end review. With the exception of^P 
nd GUI, none of these tools are currently able to access the BR. FISA 

metadata. 
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(TS//S1//NF) To mitigate risk in the future, NSA will transition the BR FISA analytic- 
tools and processes to the corporate NSA enterprise architecture and will no longer 
develop tools within the Office of Counterterrorism. Complete end-to-end testing will be 
conducted for all tools against a standard set of BR FISA requirements to ensure they are 
fully compliant prior to resumption of automated operations if authorized by the Court. 



Analyst Decision and Reporting Process 



ffiSA'SI//NF) The Analyst Decision and Reporting Process encompasses the target 
knowledge, guidelines and procedures that enable intelligence analysts to determine what, 
information meets customer requirements. It also involves the evaluation and 
minimization procedures intelligence analysts employ when analyzing data and drafting 
and disseminating reports. 



(TS//SI//NF ) Prior to the alert list shutdown on 24 January 2009, the BR FISA analyst 
decision and reporting work How began when an HSAC analyst was notified of a match 
between a known selector of counterterrorism interest and an identifier in the ingested 
BR FISA metadata, when an analyst received an RFI from a customer, or when an 
analyst was continuing analysis on an existing target set. Aside from the activity 
detection list, the process remains the same today on selectors that are specifically 
approved in accordance with the Court's Orders. If NSA has reason to believe the 
information constitutes valid threat-related activity, NSA applies USSID 18 to minimize 
information concerning U.S. persons and then reports the information to the FBI, CIA, 
NCTC and ODNI, and other customers, as appropriate. 

(TS.-VSbyNF) NSA reviewed its analytic workflow to ensure the BR FISA metadata was 
appropriately handled, analyzed and disseminated. Three new areas of concern, discussed 
in Section II. B, were identified with the BR FISA Analysis Decision and Reporting 
Process in addition to that which was previously described to the CourC'" and discussed in 
Section II.A. 



J ' r f0/71bbfcl4igS ee Supplemental DIRNSA Declaration dated 25 February 2009, at 8, Section 2 
(Inappropriate analyst querying). 



xiB secrtoi 



25 





TOP 3 OCR E i 7/C : O MINTED RC O NV N OFOR N 



As a by-product of the end-to-end review. NS A has updated the interim 
analytic BR FISA Standard Operating Procedures (SOP) to ensure compliance with the 
current Court Orders and is coordinating this document with DoJ as required by the 
Court. This SOP outlines step-bv-step instructions for the authorized intelligence analysts 
in handling the BR FISA metadata; describes the procedures used to control access to the 
BR FISA metadata; provides the steps used to conduct weekly audits of the analysts' 
queries and tools; and details the methodology used to query the BR FISA metadata 
under newly established Imminent Threat Concept of Operations guidelines, NSA will 
continue to maintain the SOP and CONOR as ‘living documents” and update them as 
needed. 

IT?!. /‘j1/ 'NLJl NSA also continues to maintain and regularly update an 1 1-step 
comprehensive checklist that outlines both the Homeland Mission Coordinator and 
analyst responsibilities in the BR FISA metadata analysis and reporting process. The 
checklist is comprised of over 30 components that require analysts to answer a variety of 
questions, including whether the proposed report falls within the scope of BR FISA 
authorities and express OGC guidelines; whether NSA attempted to get additional 
information about the selector from the FBI and CIA integrees at NSA; and whether 
cellular identifiers were checked to determine if the user had roamed into another 
country. The checklist also reminds analysts to detail the infomiation/intelligence 
sources) that prompted the report’s production. 



(TS//SI//NF) In addition, NSA has in place a combination of web pages and on-line aids 
dedicated to end-product reporting and dissemination guidance. These detailed working 
aids, together with required USSID 18 training for all BR FISA-approved intelligence 
analysts, require that any NSA. BR FISA-based reporting that contains IJ.S. person 
information follow NSA’s standard minimization procedures found in USSID 18 and the 
Court Order. 

IV. (U77F04I0^N SAN M» nimkation and Oversight Procedures 

- (TS//SI.'7Nr) NSA has well-documented and long-standing minimization procedures for 
ensuring protection of IJ.S. persons’ information in SIGINT analysis and reporting under 
all SIGINT authorities, to include the FISA Order. NSA’s normal regime of compliance 
oversight for handling the BR FISA is a comprehensive, multi-pronged approach 
involving DoJ and NSA’s OGC, O&C, Office of the Inspector General and SID. 
Currently, NSA is required to consult with DoJ on all significant legal opinions involving 
BR FISA metadata handling. DoJ meets with the appropriate NSA representatives at least 
once every renewal period to review the program. Prior to the 2 March Court Order that 
the FISC make all RAS determinations, DoJ also conducted “spot checks” to review a 
sampling of justifications (RAS determinations) for querying the metadata. NSA, in turn, 
provides internal oversight to the BR FISA program by a variety of oversight controls 
and compliance mechanisms to prevent, detect, correct and report incidents and 
violations of the procedures, to include technical, physical and managerial safeguards 
such as: examining samples of call-detail records to ensure NSA is receiving only 
compliant data; ensuring analysts are trained in the querying, dissemination and storage 
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restrictions for the metadata; monitoring analytic access to the metadata; auditing queries 
on a weekly basis by G&C; monitoring audit functionality; reviewing the BR FISA raw 
database repositories; and examining the list of RAS-approved selectors, 

(TS//S1//NF) In light of the compliance issues that surfaced specific to the handling of the 
BR FISA metadata, NS A reviewed its minimization procedures as well as its oversight 
procedures, to include auditing, documentation, and training, to identify areas for 
potential improvement. All were identified as areas for enhancement to ensure that 
personnel handling the BR FISA metadata, are aware of and compliant with the Court 
Orders governing its use and dissemination. 

A. (U) Minimization 

(TS//S1//NF) Every NS A intelligence analyst is required to complete training and pass a 
test on USSID 1 8 minimization procedures every two years as a pre-requisite for access 
to unmi ni m ized/u n e val uat.ed SIG1NT data. Additionally, intelligence analysts must 
receive an OQC compliance briefing and on-the-job training (OJT) regarding their 
responsibilities for handling metadata containing U.S, person information prior to being 
granted access to the BR FISA metadata. They also have on-line access to detailed 
working aids including required minimization procedures. NSA will continue to 
emphasize the critical importance of applying USSID 1 8 and the Court Order 
requirements as they relate to the handling and dissemination of BR FISA. 

B. (U) Oversight 

1. 'nM'OilQ^Oversight Auditing Mechanisms 

tTS//SI//NF - ) NSA assessed requirements for auditing of systems, tools, processes and 
analyst queries to ensure the proper compliance procedures were in. place. A total of 13 
audits related to BR FISA metadata access and querying were conducted either as the 
result of standing requirements or in response to issues identified through the end-to-end 
review. Descriptions of resultant anomalies are captured in Section II, 

(TS - VS I//N F j NSA audits samples of queries conduct ed by BR F ISA-authorized 
intelligence analysts an d data integrity analysts in 

mm on a weekly basis. As a result of a review of its oversight 
processes. O&C created a dedicated sensor intelligence analyst position to enhance 
auditing of BR FISA metadata queries. 

2. '^jTTFCI^O) Oversight Documentation and Procedures 

(TS^S !.//>! Fj Oversight documentation and procedures governing BR FISA metadata 
handling consists of a set of SOPs that have been reviewed and revalidated. They are as 
follows: 
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• “Access”: This SOP outlines the procedures for gaining and maintaining 
access to the BR FISA metadata in a way that is compliant with the BR 
FISA Court Order. 

• “BR FISA Audit Procedures”: This document outlines the procedures 
used to audit BR FISA analyst q ueri es 

• “Compliance Notification”: This document addresses the procedures to 
he followed when compliance issues are noted. 

• “Do, I and OGC Spot Checks”: This SOP addresses the procedures to he 
followed for the required, regular DoJ and/or OGC spot checks. 

• “Oversight”: This document outlines the roles and responsibil ities of the 
DoJ, the NSA Dire ctor, the OGC, O&C, the Inspector General, H^Hj 

and those Counterterrorism Organization analysts 
approved for BR FISA metadata access. 

3. (U) Oversight Training 

(TS//SI//N - F) MSA’s Associate Directorate of Education and Training (ADET) had 
already been working with O&C and OCX/ to redesign the required training for accessing 
BR FISA metadata to better enforce appropriate handling of this data and to introduce 
competency testing as part of the O&C curriculum. The curriculum will be administered 
on-line to allow students 24/7 access to the course material. 



- {TS//S I/7N Pf -The redesigned BR FISA portion of the training package addresses the 
knowledge and procedural components of handling BR FISA data, and now requires the 
analyst to read the most current Court Order and the OGC instructions, and in the future 
will require them to view an OGC video briefing about tire BR FISA program and 
complete the following six lesson tutorials: 

1 . “Overview of the Reasonable Articulable Suspicion standard,” as covered 
in OGC instructions 

2. “Summary of the RAS standard,” to aid NSA analysts in preparing RAS 

j usti fioati ons 

3. “Association with to identify how associations are 

established in order to qualify a target for RAS justification 

4. “First Amendment Considerations,” to identify limitations and 
considerations when targeting U.S. persons within BR FISA data 

5. “Sources of information,” to identify the supporting information used to 
justify the RAS determination 

6. “The BR FISC Order,” which explains the content of the BR FISA Orders 

(TS//S I//NF )-A computer-based competency examination will be administered upon 
completion of this training and remediation will be provided for missed questions. Once 
an analyst has demonstrated the necessary knowledge by successfully passing the exam, 
he or she will complete formalized OJT before O&C grants access to the data. 
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OJT component has always been administered by an experienced HMG 
or senior analyst experienced in conducting OJT. This training specifically addresses how 
analysts are permitted to use the BR FISA metadata, reinforces the unique privacy 
concerns and handling requirements of this data, and demonstrates the various tools that 
can be used to query the BR FISA metadata. In addition, each HMC and authorized 
intelligence analyst is required to sign a user agreement, documenting that he or she has 
read and understands the obligations associated with handling the BR metadata. 



TT S//3 L V'M F^N S A has also begun to provide tailored briefings to all technical personnel 
that have been granted access to the BR FISA metadata. The tailored briefings outline 
the categories of data obtained under the BR FISA Court Order and the restrictions 
associated with the technical personnel’s duties. For example, the briefings make it clear 
that the Collection Managers and System Administrators are not authorized to query the 
BR FISA metadata for foreign intelligence purposes. The briefing also outlines the 
correct offices to contact if the technical personnel see possible compliance issues in the 
course of their duties. 

■■(T8//3I//NF) As part of the BR FISA training redesign, complete training records will be 
maintained by ADET for each individual. The documentation will include the test score, 
answers to individual test questions, and performance feedback from the OJT component. 
This documentation will allow for tracking of access to the BR data on an individual 
basis. 



V. (t7yFQliO> NS A’s Future Architecture 

(TS//SI//NF) Using principles of system engineering, configuration management and 
access control, NSA has considered the future implementation of the BR FISA program 
including the automated activity detection process to be used should the Court authorize 
NSA to resume regular access to the BR FISA metadata. 

A. (* j//rOlK> ) Future BR FISA Activity Detection (Alerting) Process 

(TS//S I//N Pj - N S A. could resume automated activity detection in a fully compliant manner 
should the Court approve. NSA would maintain an Activity Detection (alert) List 
containing only R AS -approved selectors. Only the RAS-approved selectors on this “BR 
Identifier List” would be compared to the BR. FISA metadata. With Court approval to 
resume automated querying, NSA will work with NSD/DoJ to ensure the BR Identifier 
List will be populated with only those selectors that the Court has authorized. Should the 
Court grant NSA RAS decision authority, NSA would begin to augment the BR Identifier 
List with additional identifiers that NSA approves as having satisfied the RAS standard, 
using the improved processes and training identified in this document. 

B. (U) Future of Overarching Architecture 
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TTC/.’CL'.’l il’k-In the future, should the Court authorize NSA to resume regular access to 
the BR FISA metadata, NSA will migrate the dataflow and life cycle management of the 
BR FISA metadata to its next generation system architecture which offers more effective 
and efficient management and control. This architecture is designed to be flexible enough 
to adapt to changes in the legal, and oversight requirements, while conforming to 
applicable governing authorizations such as EO 12333 and BR FISA, 

(t}?7P©UOIIn the future architecture, the end-to-end BR FISA dataflow will be referred 
to as a system “thread/’ As such, NSA would manage the entire capability via a “Thread 
Engineering Team” to guide the requirements development, systems integration, use-case 
development, testing/validation and planning for current and future enhancements. 

Thread engineers would meet with representatives from the OGC and O&C to define- and 
validate requirements prior to development. System-wide configuration management 
would be implemented to log the expected software builds and patches. Such practices 
exist now', but there is no thread focused on the Business Records process. 

TTS/fO I//! 1 JF)-The proposed systems supporting BR FISA dataflow and life cycle within 
the next generation architecture encompass both technical- and personnel -based strategies 
to ensure that data is accessed, retained and purged in full compliance with authorities 
granted to NSA by the FISC. Moreover, the implementation of centralized processes and 
databases will ensure that all aspects of the dataflow will continue to be tracked and 
audited to further ensure that any non-compliance issues can be promptly identified and 
addressed. Plans for addressing key requirements for BR FISA metadata are as follows: 



1. / Access Control 

~tTm \ new' access control application will be applied to all databases and 

systems supporting the BR FISA workflow. This application will validate the credentials 
of users to govern what systems they are approved to access, and validate that their 
required training is current. PKI, which offers security measures for identification and 
authentication, as well as for access control, and audit capability will be used to manage 
users with access to the raw' data or query results. 

2. llIffFOlI^Data Standardization 

-■■ (TS//SI//M 7 ) - A data standardization platform will date-stamp the incoming BR metadata 
and ensure its consistent and accurate structure. This will allow' quick, and accurate date- 
based purging once the Court-ordered time frame has been reached, 

3. (U//FmiQ) Databasing RAS Selectors 

(TS//SI//NF) ~Ar updated and improved centralized target, knowledge database for storing 
telephony and email selectors has been under development since October 2008. This 
database will enable more efficient storage and retrieva l of key information about each 
BR FISA telephony identifier such as its RAS status and the justification, and OGC 
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approval as appropriate, for those that have been RAS-approved. These features are 
scheduled for completion during the fourth quarter of FY09. 

4. |fS//^Analytfcal Processing and Call Chaining' 

An enhanced call chaining function and data processing capability will 
support large volumes of automated algorithms, handle growing ingest rates and deliver 
faster query responses. Additionally, the metadata will be stored using security tags, a 
measure which can be used to restrict, the visibility of individual entries in the database to 
personnel, with the appropriate access credentials. 

5. uditing and Monitoring 

(tWTOUG) Enhanced auditing will provide a means to track a data user’s activity 
patterns, the state of a user’s operations, and the frequency and composition of queries. 

A formal metrics and monitoring system will also be used to monitor the status of the 
end-to-end processing and will alert management and operations personnel when 
processing anomalies are detected. 

VI. (II) Conclusion 

■ffSiVSP/NF). As discussed above, NS A has thoroughly reviewed the technological 
systems, analytic workflows and processes associated with its implementation of the BR 
FISA Court Order, and has introduced corrective measures to address specific concerns 
and vulnerabilities. These new measures will ensure a balanced focus on technological 
solutions and management controls. The end-to-end review' also revealed areas for 
improvement which have been documented and will continue to be addressed. Where 
changes were made impacting current manual operations, a combination of system 
evaluations, demonstrations and audits provided confidence that the technical fixes are 
actually configured and operating as intended. 



fTSTSIZ/NF) The remedial actions described in this report are subject to ongoing 
improvement and will support strict adherence to the Court Order. Although no 
corrective measure is infallible, NSA has taken significant steps designed to eliminate the 
possibility of any future compliance issues and to ensure that the mechanisms are in place 
to detect and respond quickly if one were to occur. 
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See Automated Chaining and Analysis Tool 
and GUI 

A list of foreign and domestic telephone 
selectors believed to be associated with 
terrorist targets. The Activity Detection 
List is independent of the Station Table. 
Formerly called the Alert List, this list is 
now more commonly referred to as the 
Activity Detection List in order to be more 
descriptive. 

See Activity Detection List 
A database used to store correlations 



between selectors 



t is one of 



led chaining 
based on the 



c que 



analysts 



etada 
LAs v 



: Emphatic Access Restriction (EAR) 



A s oftware restri ctive measure written into 
the I middleware on 20 
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Initial Privacy Assessment (IP A) 


A review of a system or process which 
includes a standard set of questions used to 
determine, among other things, whether the 
system or process under review interacts 
with data that could contain information, 
about U.S. persons. 


1PA 


See Initial Privacy Assessment 



| NS Ah corporate file transfer/distribution 
I system 

NSA’s corporate contact chaining system. 



Metadata 




“Data about the data”; for example, 
information about a telephone call, to 
include the calling and called numbers, 
time of call, etc. Metadata does not include 
content, 




The repository for individual BR FISA j 


i 


metadata call records for access by i 

authorized Homeland Security Analysis 
Center (HSAC) and data integrity analysts 
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A selection management system used to 
manage and task selectors, such as 
telephone numbers, IMEIs, and IMS Is, to 
many different information collection 
systems worldwide. 


Parsing Rules 


A method for separating data into 
standardized data fields. 


pi a 


See Privacy Impact Assessment 


PKI 


See Public Key Infrastructure 


Public Key Infrastructure (PKI) 


An information assurance service that 
supports digital signatures and other 
public-key based security mechanisms, and 
offers security measures such, as 
identification and authentication, access 
control and audit capability. 


Privacy Impact Assessment (PIA) 


An in-depth, standardized review of 
privacy concerns for a particular system or 
process 


Requirements 


The terms contained in the governing BR 
FISA metadata documents that must be 
satisfied as part the end-to-end workflow. 


Sanitize 

i 


The process of disguising intelligence to 
protect sensitive collection sources, 
methods, capabilities or analytic 
procedures in order to disseminate to 
customers at a classification level they can 
use. 


Seed | 


An initial selector used to generate a chain 
query. 


Selector j 


An identifier, in BR FISA realm could be 
an IMEI, 1MSI, or MSISDN, as well as a 
telephone number. 




This tool is used by HMCs to conduct 




contact chaining against BR FISA metadata 
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and provide the results to the^^jjj^^eam. 
HMCs only used RAS-approved selectors 
when using this tool. The team 

ultimately provided the results to NSA’s 






SSP 



Standard Operating Procedure (SOP) 



Station Table 




See Standard Operating Procedure 



NSA’s mission element for access and 

I 

See System Security Plan 
Institutionalized documentation describing 
official processes and procedures. 

Historic reference of all telephony selectors 
i that have been assessed for RAS - and 




Sub-components 





System Security plan (SSP) 



i Telephony Activity Detection (Alerting) 
I Process 



their associated RAS determination (RAS 
Approved or Not R AS Approved) - since 
the BR FISA Order was first signed on 24 

May 2006. 

The logical and physical breakdowns of the 
BR FISA metadata workflow components 
that performed specific activities and/or 
functions. 

Am analytic query tool used to seek out 
additional information on telephony 
selectors and other 

knowledge bases and reporting 
repositories. 

| A next generation metadata analysis 
graphical user interface (GUI) which is the 
replacement fbi||mm 



Formal document describing the 
implemented protection measures for the 
secure operation of a computer system. 

The process used to notify NS A analysts if 
there was a contact between a foreign 



telephone identifier associated with 
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domestic telephone identifier. 




The query tool which indicates whether a 
telephony selector is present in NSA data 
repositories, the total number of unique 
contacts, total number of calls, and “first 
heard” and “last heard” information for the 
selector. 
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